Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Secure media streaming and delivery
Nihar Bihani, ...
Agenda
Secure media streaming overview
Use Case
Example Media
Distributor
Content Security Solution
Commonly in Practice
Delivery Solution
Free/Public UGC Vimeo,...
Token/
signed URLs
AES
encryption
DRM
Geoblocking
Watermarking
Overview of secure streaming on AWS
AWS services stack in a media workflow
AWS Direct
Connect
Elastic
Load
Balancing
AWS Import/
Export
Amazon
S3
AWS Storage
...
Token /
signed URLs
AES
encryption
DRM
Geoblocking
Watermarking
Sample AWS architecture for VOD and
live streaming
Amazon
CloudFront
distribution
Amazon Elastic
Transcoder
Amazon S3
buck...
Amazon S3 security controls
• Bucket-level and
object-level permissions
• Owner-only access (by default)
• Signed URLs/que...
Amazon S3 client-side encryption with
AWS SDK for Java
Look for AmazonS3EncryptionClient class (subclass of AmazonS3Client...
Amazon S3 server-side encryption (at rest)
• Encryption
• Decryption
• Key management
(Encrypted by Amazon S3 master
key; ...
Amazon CloudFront
• Global content delivery via Amazon Route 53
edge locations
• On-demand and live streaming
• Supports b...
Amazon S3
(Media storage)
Amazon CloudFront
Amazon CloudFront security
End user
HTTP
________
HTTPS ONLY
• Custom SSL cert...
Amazon Elastic Transcoder
• Scalable, cost effective (per-minute pricing)
• Integrated with AWS services and tools (Amazon...
Amazon Elastic Transcoder security
• Encryption at rest
• Server managed keys
• Client provided keys
• Integration with AW...
Media software on
AWS Marketplace
• Launch software on AWS with
1-Click
• Pay-by-the-hour, monthly, or
annually
• Single i...
Security certifications and compliance
Facilities
Physical security
Physical infrastructure
Network infrastructure
Virtual...
AWS Identity and Access Management (IAM)
Unique security credentials
• Access keys, login/password, multi-factor authentic...
Log, Monitor, Act Proactively
You are making API
calls and accessing
your content…
On a growing set of
services around the...
Demo: Secure on-demand streaming
On-demand streaming demo components
• AWS services used:
– Amazon S3 for storage
– Amazon Elastic Transcoder for transform...
On-demand transcoding and
encrypted file delivery
Amazon S3 bucket
Amazon
CloudFront
distribution
Availability Zone a
Elas...
Demo: Secure live streaming
Live-streaming demo components
• Uses Amazon EC2 running nginx with plugin
nginx-rtmp-module
• Transcodes using FFmpeg (co...
Live stream failover setup
nginx transcoder
RTMP stream
Availability Zone a
Amazon Route 53
DNS failover
Availability Zone...
Best practices
• Limit access to port 1935 to only trusted
sources
• Define TTL settings for .ts files and .m3u8
• Negativ...
Allow access to port 1935 from
trusted sources
Type Protocol Port Range Source
HTTP TCP 80 0.0.0.0/0
HTTPS TCP 443 0.0.0.0...
Define TTL settings for .ts files and .m3u8
Geo-restrict access to stream if necessary
nginx RTMP / HLS configuration
rtmp {
server {
listen 1935;
chunk_size 4096;
application live {
live on;
record off;
exec_...
Sample AWS architecture for VOD and live streaming
Amazon
CloudFront
distribution
Amazon Elastic
Transcoder
Amazon S3
buck...
Sample AWS architecture for secure VOD and
live streaming
Amazon
CloudFront
distribution
Amazon Elastic
Transcoder
Amazon ...
SAN FRANCISCO
Upcoming SlideShare
Loading in …5
×

Secure Media Streaming and Delivery

Media content, whether it be the latest blockbuster movie or a company's confidential webcasts, can be some of the most important assets for a media business. Storing, preparing, and delivering this content securely involves leveraging systems that can scale and ensure top-of-the-line security. Come find out how AWS can help you implement these workflows in the cloud using highly available, scalable, and secure cloud services such as Amazon S3 (storage), Amazon Elastic Transcoder (transcoding) and Amazon CloudFront (delivery).We also discuss the underlying concepts of secure media delivery (e.g., policy-based DRM and signed cookies/URLs), the challenges faced by customers who need to design and implement these critical modules, and how to leverage the power of AWS to accomplish those while saving on costs. In addition, we take a deep dive into a media processing stack implemented on AWS using open source components to deliver encrypted HTTP Live Streams (HLS) to various devices.

Secure Media Streaming and Delivery

  1. 1. ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved Secure media streaming and delivery Nihar Bihani, Principal Product Manager, Amazon Web Services Usman Shakeel, Principal Solutions Architect, Amazon Web Services
  2. 2. Agenda
  3. 3. Secure media streaming overview
  4. 4. Use Case Example Media Distributor Content Security Solution Commonly in Practice Delivery Solution Free/Public UGC Vimeo, WeVideo Open Progressive downloads, streaming Free/Secure UGC WeVideo, YouTube Signed URLs Progressive downloads, streaming Ad Supported Sony Crackle, TMZ AES encryption, signed URLs Mostly HTTP or RTMP streaming Premium Content (Live Linear or VOD) Netflix, Amazon Instant Video AES encryption, signed URLs, DRM HTTP or RTMP streaming Prereleased Content Studios Encryption, watermarking, DRM Mezzanine file transfer (mostly B2B), proxy streaming
  5. 5. Token/ signed URLs AES encryption DRM Geoblocking Watermarking
  6. 6. Overview of secure streaming on AWS
  7. 7. AWS services stack in a media workflow AWS Direct Connect Elastic Load Balancing AWS Import/ Export Amazon S3 AWS Storage Gateway Amazon EBS Amazon CloudFront Amazon CloudSearch Amazon SQS Amazon Elastic Transcoder Amazon EC2 Amazon EMRAmazon VPC Ingest/Create Store Amazon RDS Amazon ElastiCache Amazon Route 53 DeliverProcess Amazon EC2
  8. 8. Token / signed URLs AES encryption DRM Geoblocking Watermarking
  9. 9. Sample AWS architecture for VOD and live streaming Amazon CloudFront distribution Amazon Elastic Transcoder Amazon S3 bucket Amazon S3 bucket Media file RTMP stream Media servers on Amazon EC2 Amazon CloudFront distribution Origin Access Identity HTTPS HTTPS Media consumer
  10. 10. Amazon S3 security controls • Bucket-level and object-level permissions • Owner-only access (by default) • Signed URLs/query string authentication • AWS IAM policies • Versioning (MFA delete) • Detailed access logging ✔Access logs
  11. 11. Amazon S3 client-side encryption with AWS SDK for Java Look for AmazonS3EncryptionClient class (subclass of AmazonS3Client) Corporate data center Content Master key AWS SDK for Java Envelope key Encrypted content Encrypted envelope key You can use AWS Key Management Service to manage your keys as well
  12. 12. Amazon S3 server-side encryption (at rest) • Encryption • Decryption • Key management (Encrypted by Amazon S3 master key; stored separately from your data) • 256-bit AES encryption • User-provided keys • Integration with AWS KMS Content to be uploaded (encryption enabled in the HTTP header) Envelop Key Encrypted stored keyEncrypted stored data Master Amazon S3 key Amazon S3
  13. 13. Amazon CloudFront • Global content delivery via Amazon Route 53 edge locations • On-demand and live streaming • Supports both HTTP and RTMP streaming • Native support for Smooth Streaming • Set custom TTLs to cache all types of content • TCP optimizations • Customize content at the edge • Detect device type, geo-location, language, etc.
  14. 14. Amazon S3 (Media storage) Amazon CloudFront Amazon CloudFront security End user HTTP ________ HTTPS ONLY • Custom SSL certificate • Amazon CloudFront’s private content feature Only deliver content to securely signed requests • HTTPS ONLY requests/delivery, origin fetches • HTTP to HTTPS redirect at the edge • Signed URL or signed cookie verification Policy based on a timed URL/cookie or a CIDR block of the requestor • Amazon CloudFront Origin Access Identity (OAI) Delivery Amazon EC2 instances Security group Signed request Amazon S3 (Logs storage) "Effect":"Allow", "Principal":{ "CanonicalUser":"79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8" }, "Action":"s3:GetObject", "Resource":"arn:aws:s3:::example-bucket/*”
  15. 15. Amazon Elastic Transcoder • Scalable, cost effective (per-minute pricing) • Integrated with AWS services and tools (Amazon SNS, Amazon S3, AWS IAM, AWS CloudTrail, and AWS SDK) • Codecs, processing, and licensing baked in • Outputs: • Popular web formats such as MP4 with H.264/AAC and WebM with VP8/Vorbis • Adaptive bitrate formats such as HLS and Smooth Streaming • Audio-only processing for inputs and outputs • Features include captions, visual watermarks, clipping, and more
  16. 16. Amazon Elastic Transcoder security • Encryption at rest • Server managed keys • Client provided keys • Integration with AWS Key Management Service • Amazon Elastic Transcoder only accepts AWS KMS protected keys • Key is never written or stored in cleartext • Encryption for HLS streams • Built on top of “client provided keys” API • Amazon Elastic Transcoder generates HLS playlists embedding URI for decryption key • Digital Rights Management (New) • PlayReady DRM packaging • AWS CloudTrail Integration
  17. 17. Media software on AWS Marketplace • Launch software on AWS with 1-Click • Pay-by-the-hour, monthly, or annually • Single invoice for AWS usage and ISV software • Free trials
  18. 18. Security certifications and compliance Facilities Physical security Physical infrastructure Network infrastructure Virtualization infrastructure Certifications • SOC 1, SOC 2, and SOC 3 (SSAE16/ISAE 3402 audit) • ISO 27001 certification • PCI level 1 service provider • FedRAMP (FISMA) • AWS GovCloud (US) • MPAA best practices alignment Customer are running Sarbanes-Oxley (SOX), HIPAA (healthcare), FISMA (US federal government), DIACAP MAC III sensitive ATO, International Traffic in Arms Regulations (ITAR)
  19. 19. AWS Identity and Access Management (IAM) Unique security credentials • Access keys, login/password, multi-factor authentication (MFA) device • Federated authentication (AWS Security Token Service [STS]) Policies control access to AWS APIs • API calls must be signed by either X.509 certificate or secret key Deep integration with other AWS services • Amazon S3: Policies on objects and buckets • Amazon CloudFront: Resource permissions • Amazon Elastic Transcoder • Amazon EC2 IAM policies applicable to AWS Marketplace software
  20. 20. Log, Monitor, Act Proactively You are making API calls and accessing your content… On a growing set of services around the world accessing your content… AWS CloudTrail is continuously recording API calls… And delivering log files to you. Elastic Load Balancing Amazon S3 Amazon Glacier Amazon CloudFront Amazon S3/Amazon CloudFront/App Logs Access logs Feed logs in Amazon CloudWatch or monitor patterns on logs Act fast or automate based on real-time notifications and alerts AWS CloudTrail Amazon Redshift Amazon EC2 AWS IAM Amazon RDS Amazon Elastic Transcoder
  21. 21. Demo: Secure on-demand streaming
  22. 22. On-demand streaming demo components • AWS services used: – Amazon S3 for storage – Amazon Elastic Transcoder for transformation and encryption – Amazon CloudFront for global delivery – AWS Key Management Service • JW Player for delivery • Benefit from the high availability, scalability, and low cost offered by AWS services.
  23. 23. On-demand transcoding and encrypted file delivery Amazon S3 bucket Amazon CloudFront distribution Availability Zone a Elastic Load Balancing Amazon EC2 instance web app server Availability Zone b Amazon Elastic Transcoder Media owner AWS Key Management Service Amazon S3 bucket Amazon EC2 instance Amazon DynamoDB Key Name Base64 Encoded Key Big Buck Bunny EuoK6SNJcoZ7V8gRqSszdA6yp8MZTbrBY… Elephants Dream T4iu3N8ZAyzk1JMesuyEQ46tCW5BA43sad…
  24. 24. Demo: Secure live streaming
  25. 25. Live-streaming demo components • Uses Amazon EC2 running nginx with plugin nginx-rtmp-module • Transcodes using FFmpeg (compiled with RTMP module) • RTMP/HLS/MPEG-DASH live streaming • https://github.com/arut/nginx-rtmp-module
  26. 26. Live stream failover setup nginx transcoder RTMP stream Availability Zone a Amazon Route 53 DNS failover Availability Zonea Amazon EC2 instance Availability Zone b Amazon EC2 instance Amazon CloudFront Amazon Route 53 DNS failover Elastic Load Balancing nginx transcoder Availability Zone b
  27. 27. Best practices • Limit access to port 1935 to only trusted sources • Define TTL settings for .ts files and .m3u8 • Negative TTLs (sequential) • Geo-block access to stream if necessary • Rotate the key file as often as possible • Randomize the .ts file name for live streams
  28. 28. Allow access to port 1935 from trusted sources Type Protocol Port Range Source HTTP TCP 80 0.0.0.0/0 HTTPS TCP 443 0.0.0.0/0 Custom TCP rule TCP 1935 54.255.255.0/32
  29. 29. Define TTL settings for .ts files and .m3u8
  30. 30. Geo-restrict access to stream if necessary
  31. 31. nginx RTMP / HLS configuration rtmp { server { listen 1935; chunk_size 4096; application live { live on; record off; exec_push ffmpeg -i rtmp://localhost/live/$name -vcodec libx264 -vprofile baseline -g 5 -s 640x360 -acodec libfdk_aac -ar 44100 -ac 1 -f flv rtmp://localhost/hls/$name; } application hls { live on; hls on; hls_path /tmp/hls; hls_fragment 5s; # Use HLS encryption hls_keys on; # Use stream timestamp rounded to 250ms as fragment names hls_fragment_naming timestamp; hls_fragment_naming_granularity 250; # Store autogenerated keys in this location rather than hls_path hls_key_path /tmp/keys; # Prepend key url with this value hls_key_url https://enter URL here/keys/; # Change HLS key every 2 fragments hls_fragments_per_key 2; # Create identical fragments on different nginx instances for high availability (without encryption) hls_fragment_slicing aligned; hls_cleanup on; } }
  32. 32. Sample AWS architecture for VOD and live streaming Amazon CloudFront distribution Amazon Elastic Transcoder Amazon S3 bucket Amazon S3 bucket Media file RTMP stream Media servers on Amazon EC2 Amazon CloudFront distribution Origin Access Identity HTTPS HTTPS Media consumer
  33. 33. Sample AWS architecture for secure VOD and live streaming Amazon CloudFront distribution Amazon Elastic Transcoder Amazon S3 bucket Amazon S3 bucket Media file RTMP stream Media servers on Amazon EC2 Amazon CloudFront distribution Origin Access Identity HTTPS HTTPS Media owner 1. Media Owner can create a primary key on AWS KMS 2. Amazon Elastic Transcoder can have an IAM role to request the data key from AWS KMS 3. Amazon EC2, Amazon Elastic Transcoder can request the data key on behalf of customers 3. Media server generating keys and serving or using AWS KMS via IAM role for key management 5. Amazon CloudFront secure cookie to allow or deny customers the access to manifest 4. Encrypted content segments and keys stored in Amazon S3 (keys can be served outside of Amazon S3 as well) Media consumer AWS Key Management Service (KMS)
  34. 34. SAN FRANCISCO

×